How to Configure Bridge Networking on RHEL 7

A network bridge is a Layer 2 virtual switch that connects multiple network interfaces, allowing them to share a single network segment. On RHEL 7, bridge networking is essential for virtualization with KVM — virtual machine interfaces are typically attached to a bridge so VMs appear as regular hosts on the physical network with their own IP addresses. Bridges are also used with Docker to provide container networking and can be combined with bonded interfaces for added redundancy. This tutorial covers installing bridge-utils, creating a bridge using both nmcli and manual interface configuration files, adding a physical NIC as a bridge slave, verifying connectivity, and addressing firewall and SELinux considerations.

Prerequisites

  • RHEL 7 server with root or sudo access
  • At least one physical network interface (e.g., ens33) connected to the network
  • NetworkManager running (systemctl status NetworkManager)
  • Physical access or an out-of-band console to the server, since reconfiguring the primary NIC will temporarily drop the network connection

Step 1: Install bridge-utils

The bridge-utils package provides the brctl command for managing bridges:

sudo yum install -y bridge-utils

Verify the installation:

brctl --version

Step 2: Identify Your Network Interface

Before creating the bridge, identify the physical interface you will assign to it:

ip link show
nmcli device status

Note the interface name (commonly ens33, eth0, or enp3s0 on RHEL 7). Also record the current IP address configuration that you will move to the bridge:

ip addr show ens33

Step 3: Create the Bridge Using nmcli

NetworkManager on RHEL 7 supports bridge creation directly through nmcli. This method is preferred as it integrates with NetworkManager for persistence across reboots.

Create the bridge interface br0:

sudo nmcli connection add type bridge ifname br0 con-name br0

Assign a static IP address to the bridge (replace with your network values):

sudo nmcli connection modify br0 
  ipv4.addresses "192.168.1.50/24" 
  ipv4.gateway "192.168.1.1" 
  ipv4.dns "8.8.8.8 8.8.4.4" 
  ipv4.method manual

Set bridge options (optional but recommended for KVM use):

sudo nmcli connection modify br0 bridge.stp yes
sudo nmcli connection modify br0 bridge.forward-delay 2

Add the physical NIC ens33 as a slave (port) of br0:

sudo nmcli connection add type bridge-slave ifname ens33 master br0 con-name br0-slave-ens33

Bring down the existing ens33 connection and bring up the bridge:

sudo nmcli connection down ens33
sudo nmcli connection up br0-slave-ens33
sudo nmcli connection up br0

Step 4: Configure the Bridge Using Interface Configuration Files

Alternatively, you can configure the bridge directly with /etc/sysconfig/network-scripts/ files. This method is useful in environments where NetworkManager is disabled.

Create the bridge configuration file:

sudo vi /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=none
IPADDR=192.168.1.50
PREFIX=24
GATEWAY=192.168.1.1
DNS1=8.8.8.8
DNS2=8.8.4.4
ONBOOT=yes
DELAY=0
STP=yes
NM_CONTROLLED=no

Modify the physical NIC configuration file to remove its IP and assign it to the bridge:

sudo vi /etc/sysconfig/network-scripts/ifcfg-ens33
DEVICE=ens33
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
BRIDGE=br0
NM_CONTROLLED=no

The key directive is BRIDGE=br0, which attaches the physical NIC to the bridge. Restart networking to apply changes:

sudo systemctl restart network

Step 5: Verify the Bridge Configuration

Check that the bridge was created and that ens33 is listed as a member interface:

brctl show

Expected output:

bridge name  bridge id          STP enabled  interfaces
br0          8000.000c29ab1234  yes          ens33

Verify that the bridge has the expected IP address:

ip addr show br0

Test network connectivity:

ping -c 3 192.168.1.1
ping -c 3 8.8.8.8

Step 6: Bridge Networking for KVM Virtual Machines

Once the bridge is in place, KVM virtual machines can be connected to it so they appear as hosts on the physical LAN. When creating a VM with virt-install, specify the bridge:

sudo virt-install 
  --name myvm 
  --ram 2048 
  --disk path=/var/lib/libvirt/images/myvm.qcow2,size=20 
  --os-variant rhel7.0 
  --network bridge=br0 
  --cdrom /tmp/rhel-server-7.9-x86_64-dvd.iso

For an existing VM, edit the interface in the VM XML to use the bridge:

sudo virsh edit myvm

Change the interface type to bridge:

<interface type='bridge'>
  <source bridge='br0'/>
  <model type='virtio'/>
</interface>

Step 7: Bridge with Bonding for Redundancy

For production environments, the bridge is typically attached to a bonded interface rather than a single NIC. Create a bond first:

sudo nmcli connection add type bond ifname bond0 con-name bond0 bond.options "mode=active-backup,miimon=100"
sudo nmcli connection add type bond-slave ifname ens33 master bond0
sudo nmcli connection add type bond-slave ifname ens34 master bond0

Then add the bond as a bridge slave instead of the physical NIC:

sudo nmcli connection add type bridge-slave ifname bond0 master br0 con-name br0-slave-bond0

This gives you both link redundancy (bonding) and bridging for VMs in a single configuration.

Step 8: Firewall and SELinux Considerations

Bridged traffic can be blocked by iptables if the br_netfilter kernel module causes bridge traffic to pass through the iptables chains. For KVM and Docker this is generally desirable, but you may need to allow forwarded traffic:

sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i br0 -o br0 -j ACCEPT
sudo firewall-cmd --reload

To disable iptables filtering for bridge traffic entirely (only if your security policy allows it):

sudo sysctl -w net.bridge.bridge-nf-call-iptables=0
sudo sysctl -w net.bridge.bridge-nf-call-ip6tables=0

Make persistent in /etc/sysctl.d/99-bridge.conf:

net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-ip6tables = 0

For SELinux, the virt_use_comm boolean may need to be enabled for KVM bridge access:

sudo setsebool -P virt_use_comm 1

Check for SELinux denials related to bridge traffic:

sudo ausearch -m avc -ts recent | grep bridge

Conclusion

Bridge networking on RHEL 7 is a foundational skill for administrators running virtualized workloads with KVM or containerized applications with Docker. You have learned to install bridge-utils, create a bridge interface using both nmcli and manual configuration files, assign the bridge a static IP address, attach a physical NIC as a bridge slave, and verify the configuration with brctl show and ip addr. The bridge-with-bonding pattern provides the redundancy required for production deployments, while proper firewall and SELinux configuration ensures security is maintained. With a properly configured bridge, virtual machines will receive IP addresses from your physical network DHCP server and communicate with all hosts as if they were physically present on the LAN.